Hi, I would be great, if you can submit this as a patch to the WSS4J. SAML token validation should be further improved from the WSS4J side.
Thanks. /thilina E-Mail : [email protected] I blog here : http://thilinamb.com 2009/10/21 Håkon Sagehaug <[email protected]> > Hi again > > But I used the other way of building the dom element, using the byte stream > approach, and then the signature validation was successful, so thanks for > the pointer to the patch. > > cheers, Håkon > > 2009/10/21 Håkon Sagehaug <[email protected]> > > > Hi Nandana, > > > > As far as I see from the patch and also stated in the comment for the > > SAML2TokenProcessor#buildAssertion > > > > "At the moment it only validates by building an assertion similar to the > > SAMLTokenProcessor" > > > > Not validating the actual signature for the assertion, so the bulding > token > > part is okay, but not validating the signature. But maybe this issue is > been > > dealt with? And also using the SAML 1 I had to validate the signature in > my > > application, beacuse the wss4j SAMLProcessor for SAML1 only build it, and > > made it avaiable through WSSecurityEngineResult object. > > > > cheers, Håkon > > > > > > 2009/10/21 Nandana Mihindukulasooriya <[email protected]> > > > > Hi Håkon, > >> Did you take a look at the patch [1]. It is not yet applied to > >> WSS4J > >> trunk but I think it will be useful for you. > >> > >> regards, > >> Nandana > >> > >> [1] - https://issues.apache.org/jira/browse/WSS-204 > >> > >> 2009/10/21 Håkon Sagehaug <[email protected]> > >> > >> > Hi all, > >> > > >> > I've tried using the rampart 1.5, and made a sts service that issues a > >> > SAML2 > >> > assertion, so now I want to try to validate the signature. But facing > >> > problems doing that. My sts services is that same as the one provided > by > >> > the > >> > distribution. Ive looked at the openSAML list and documentation and my > >> > signature validation code looks like this > >> > > >> > KeyStore ks = KeyStore.getInstance("JKS"); > >> > InputStream is = new FileInputStream("resource/service.jks"); > >> > // char password [] = new char[]{""}; > >> > > >> > ks.load(is, "pass".toCharArray()); > >> > > >> > KeyStore.PrivateKeyEntry pkEntry = (KeyStore.PrivateKeyEntry) > ks > >> > .getEntry("alias", new KeyStore.PasswordProtection( > >> > "pass".toCharArray())); > >> > > >> > X509Certificate cert = (X509Certificate) > >> pkEntry.getCertificate(); > >> > > >> > BasicX509Credential x509Credential = new BasicX509Credential(); > >> > > >> > x509Credential.setEntityCertificate(cert); > >> > x509Credential.getEntityCertificateChain().add(cert); > >> > > >> > SAMLSignatureProfileValidator signProfileValidator = new > >> > SAMLSignatureProfileValidator(); > >> > signProfileValidator.validate(ass.getSignature()); > >> > > >> > SignatureValidator signValidator = new SignatureValidator( > >> > x509Credential); > >> > > >> > signValidator.validate(ass.getSignature()); > >> > > >> > But I alwasy get > >> > > >> > org.opensaml.xml.validation.ValidationException: Signature did not > >> validate > >> > against the credential's key > >> > > >> > I do the conversion from org.apache.rahas.Token to SAML Assertion like > >> this > >> > > >> > OMSource source = new OMSource(responseToken.getToken()); > >> > Element assercioSAMLDOM = null; > >> > Transformer transformer; > >> > TransformerFactory transFac = TransformerFactory.newInstance(); > >> > > >> > try { > >> > transformer = transFac.newTransformer(); > >> > DOMResult result = new DOMResult(); > >> > transformer.transform(source, result); > >> > > >> > assercioSAMLDOM = ((Document) result.getNode()) > >> > .getDocumentElement(); > >> > > >> > } catch (TransformerConfigurationException e2) { > >> > e2.printStackTrace(); > >> > } catch (TransformerException e) { > >> > e.printStackTrace(); > >> > } > >> > > >> > UnmarshallerFactory unmarshallerFactory = Configuration > >> > .getUnmarshallerFactory(); > >> > Unmarshaller unmarshaller = unmarshallerFactory > >> > .getUnmarshaller(Assertion.DEFAULT_ELEMENT_NAME); > >> > > >> > Assertion ass = (Assertion) unmarshaller > >> > .unmarshall(assercioSAMLDOM); > >> > > >> > > >> > Seen on the SAML list that often these errors are due to conversion > from > >> > one > >> > xml model to another(token to SAML Assertion). > >> > > >> > So my question is, I looked in the rampart svn for validation code for > >> SAML > >> > 2 tokens, but could not find anything, has anyone tried this? Also is > >> the > >> > conversion form the rahas token to dom element correct? I managed to > >> > validate signatures when validating SAML 1 token issued, but not now. > >> > > >> > > >> > cheers, Håkon > >> > > >> > -- > >> > Håkon Sagehaug, Scientific Programmer > >> > Parallab, Bergen Center for Computational Science (BCCS) > >> > UNIFOB AS (University of Bergen Research Company) > >> > > >> > >> > >> > >> -- > >> Nandana Mihindukulasooriya > >> WSO2 inc. > >> > >> http://nandana.org/ > >> http://www.wso2.org > >> > > > > > > > > -- > > Håkon Sagehaug, Scientific Programmer > > Parallab, Bergen Center for Computational Science (BCCS) > > UNIFOB AS (University of Bergen Research Company) > > > > > > -- > Håkon Sagehaug, Scientific Programmer > Parallab, Bergen Center for Computational Science (BCCS) > UNIFOB AS (University of Bergen Research Company) >
